Don't be too quick to pay extortion fees based on the threat of an attack

If you or your employer receives a threatening email saying that your website will be targeted with a Denial of Service Attack, don't be too quick to pay them to preempt the attack. A recent report by security firm CloudFlare disclosed that targeted victims appear to have paid as much as $100,000 USD based only on an email threat that was not credible, upon close analysis. It can be scary to receive such an email, but there are some clues that could help you determine if the threat is real or not.

If you or your employer receives a threatening email saying that your website will be targeted with a Denial of Service Attack, don’t be too quick to pay them to preempt the attack. A recent report by security firm CloudFlare disclosed that targeted victims appear to have paid as much as $100,000 USD based only on an email threat that was not credible, upon close analysis. It can be scary to receive such an email, but there are some clues that could help you determine if the threat is real or not.

The email sent to intended victims threatens to overwhelm their website in a way that is impossible to stop. The attackers demanded 10 Bitcoins (about $4,000 USD) to prevent the attack. However, the attacker said that the fee would increase after the attack begins, and would escalate rapidly until payment is made. There were several scary aspects to the message, including the fact that the attackers were calling themselves the Armada Collective, a well-known cyber-criminal group. But there is no proof that the note was related to that gang in any way.

To date, there is zero evidence that any of the threatened attacks were ever carried out. This means that it may have been a bluff. But many targeted victims apparently paid up, just to prevent the attack.

There are some clues that this threat was not feasible to carry out, as the Bitcoin address used for payments was the same in all of the messages received by victims. According to CloudFlare, if a victim did send the Bitcoins to the attacker’s address it would be difficult, if not impossible for the attacker to verify who actually paid them using the prescribed arrangement. This, and the fact that there have been no reported actual attacks related to these threats, means that the attacker likely never intended to carry out such an attack. They only wanted to scare some of the victims enough that they would pay based on the threat alone.

A smart thing for a victim to do is demand proof that the attacker has the capability. Usually, an attacker will launch a small “show of force” (as in most super-hero movies where the villain usually demonstrates their power before making a demand on the citizens of the world), and THEN they will demand extortion money to halt the attack. But if no demonstration was provided in advance, there’s a real possibility that the attacker making the threat could not (or would not) carry out their attack.

So, even if the threat looks scary and plausible, don’t be too hasty in paying when there’s no proof that the attacker has the capability. Here’s a link to the CloudFlare blog article about the threats.